MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)

Overview

The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.

Description

As described on the MIT Kerberos web site: “Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.” MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

Kerberos 5 protocol messages are defined using Abstract Syntax Notation One (ASN.1). When ASN.1 decoding functions in the MIT Kerberos 5 library handle error conditions, the functions free() a memory reference and return the reference to the calling function. In some cases, error handling code in the calling functions may free() the memory reference again, resulting in a double-free vulnerability. MITKRB5-SA-2004-002 explains in more detail:

In the MIT krb5 library, in all releases up to and including krb5-1.3.4, ASN.1 decoder functions and their callers do not use a consistent set of memory management conventions. The callers expect the decoders to allocate memory. The callers typically have error-handling code which frees memory allocated by the ASN.1 decoders if pointers to the allocated memory are non-null. Upon encountering error conditions, the ASN.1 decoders themselves free memory which they have allocated, but do not null the corresponding pointers. When some library functions receive errors from the ASN.1 decoders, they attempt to pass the non-null pointer (which points to freed memory) to free(),
causing a double-free.
The MIT Kerberos 5 KDC is affected by a specific variant of this type of double-free condition. From MITKRB5-SA-2004-002:

In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup code in the KDC frees memory returned by ASN.1 decoders. This cleanup code only frees memory pointed to by non-null pointers, but if an ASN.1 decoder returns an error, the cleanup code will free memory previously freed by the decoder.
The double-free conditions occur in the MIT Kerberos 5 library and affect the KDC and Kerberos clients.

---

Impact

An unauthenticated, remote attacker could execute arbitrary code on a KDC server. This could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker who is able to impersonate a KDC or application server may be able to execute arbitrary code on Kerberos clients. An attacker may also be able to crash a KDC or client, causing a denial of service.

---

Solution

Apply a patch
Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-002 or specified by your vendor.

Upgrade

According to MITKRB5-SA-2004-002, “The upcoming krb5-1.3.5 release will contain fixes for these problems.”

---

Restrict access

Depending on network architecture, it may be practical to restrict access to KDC servers (88/udp) from untrusted networks such as the Internet. Due to network application requirements, it may be possible, but less practical, to limit access from Kerberos clients to trusted KDC and application servers. While these workarounds will help to limit the source of attacks, they will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.

---

Vendor Information

795632

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: July 21, 2004 Updated: May 10, 2005

Status

Affected

Vendor Statement

This is fixed in Security Update 2004-12-02, and further information is available from <http://docs.info.apple.com/article.html?artnum=61798&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Debian __ Affected

Notified: July 21, 2004 Updated: September 03, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see DSA-543.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Fedora Legacy Project __ Affected

Updated: September 03, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FEDORA-2004-276 (Fedora Core 1) and FEDORA-2004-277 (Fedora Core 2).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

MIT Kerberos Development Team __ Affected

Updated: September 01, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MITKRB5-SA-2004-002.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

MandrakeSoft __ Affected

Notified: July 21, 2004 Updated: September 03, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2004:088.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Red Hat Inc. __ Affected

Notified: July 21, 2004 Updated: September 02, 2004

Status

Affected

Vendor Statement

New krb5 packages are now available along with our advisory at the URLs below and by using the Red Hat Network ‘up2date’ tool. Please note that Red Hat Enterprise Linux 3 contained a fix for VU#350792 (CAN-2004-0772) from release, and for Red Hat Enterprise Linux 2.1 users this issue was fixed in a previous update, RHSA-2003:052.

<http://rhn.redhat.com/errata/RHSA-2004-448.html&gt;
<http://rhn.redhat.com/errata/RHSA-2004-350.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Trustix Secure Linux __ Affected

Updated: September 03, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TSL-2004-0045.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Cisco Systems Inc. Not Affected

Notified: July 21, 2004 Updated: September 02, 2004

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

CyberSafe __ Not Affected

Updated: September 02, 2004

Status

Not Affected

Vendor Statement

The CyberSafe products listed below are not vulnerable.

* CyberSafe Challenger 5.2.8 (this is the same code used within CISCO IOS)
* TrustBroker 2.0, 2.1
* ActiveTRUST 3.0, 4.0
* TrustBroker Application Security SDK & Runtime Library 3.1.0
* TrustBroker Secure Client 4.1. 

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Hitachi __ Not Affected

Notified: July 21, 2004 Updated: September 03, 2004

Status

Not Affected

Vendor Statement

Hitachi products are NOT affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

VanDyke Software Inc. __ Not Affected

Notified: July 21, 2004 Updated: September 02, 2004

Status

Not Affected

Vendor Statement

This vulnerability is not Applicable to VanDyke Software products. VanDyke Software products do not link to any static kerberos libraries. Instead, VanDyke Software products dynamically load shared libraries for GSSAPI related functionality.

Due to the critical nature of this vulnerability in affected versions of MIT Kerberos, those using the GSSAPI authentication method for SSH2 authentication within an MIT Kerberos environment should install the patched version of MIT Kerberos immediately.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

WRQ __ Not Affected

Notified: July 21, 2004 Updated: September 02, 2004

Status

Not Affected

Vendor Statement

The double-free memory management vulnerabilities VU#795632, VU#866472 and VU#550464, are not applicable to the WRQ Reflection Kerberos Client. WRQ Kerberos implementation uses Windows-based memory management routines and has been inspected to verify that this type of vulnerability is not present.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Conectiva Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Cray Inc. Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

EMC Corporation Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

F-Secure Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

FreeBSD Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Fujitsu Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Guardian Digital Inc. Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Heimdal Kerberos Project Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Hewlett-Packard Company Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

IBM __ Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink&gt; and follow the steps for registration.

All questions should be reffered to [email protected].

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Ingrian Networks Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Juniper Networks Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

KTH Kerberos Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Microsoft Corporation Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

MontaVista Software Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

NEC Corporation __ Unknown

Notified: July 21, 2004 Updated: September 03, 2004

Status

Unknown

Vendor Statement

sent on September 3, 2003

[Server Products]

* Super computer SX operating system
  * is NOT vulnerable.

We are investigating other products of ours.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

NetBSD Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Nokia Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Novell Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Openwall GNU/*/Linux Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

SCO Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

SGI Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

SSH Communications Security Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Sony Corporation Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

SuSE Inc. Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Sun Microsystems Inc. Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

TurboLinux Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Unisys Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Wind River Systems Inc. Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

Wirex Unknown

Notified: July 21, 2004 Updated: September 02, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23795632 Feedback>).

View all 42 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt&gt;
• <http://web.mit.edu/kerberos/www/&gt;
• <http://web.mit.edu/kerberos/www/krb5-1.3/&gt;
• <http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#asn1&gt;
• <http://www.itu.int/ITU-T/asn1/&gt;
• <http://www.itu.int/ITU-T/studygroups/com10/languages/&gt;
• <http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbfirewall&gt;
• <http://www.securitytracker.com/alerts/2004/Aug/1011106.html&gt;

Acknowledgements

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Will Fiveash and Nico Williams.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2004-0642
Severity Metric:	20.55 Date Public: